The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical emergency directive requiring U.S. federal civilian agencies to patch a severe vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron, within four days. This directive comes amid confirmed active exploitation of CVE-2023-35078 in the wild.
As defenders, we treat CISA's "Known Exploited Vulnerabilities" (KEV) catalog entries as signal fire. This is not a theoretical risk; the vulnerability allows unauthenticated, remote attackers to bypass API security controls on the management interface. Given the EPMM's role in managing mobile fleets, a compromise here grants an attacker a vantage point to push malicious profiles, exfiltrate PII, and weaponize managed devices against the internal network.
Technical Analysis
- Affected Product: Ivanti Endpoint Manager Mobile (EPMM)
- CVE Identifier: CVE-2023-35078
- CVSS Score: 10.0 (Critical)
- Vulnerable Components: The vulnerability resides in the API gateway component of the EPMM server. Specifically, it involves a missing authentication check on specific API endpoints.
- Mechanism of Exploit: The vulnerability is an authentication bypass. An attacker can send crafted HTTP requests to the AED (AppConnect Enterprise Dashboard) or MI (MobileIron) core API endpoints—specifically paths under
/mics/—without valid session cookies or tokens.
Because the API trusts the request implicitly, the attacker can access restricted functionality. In observed exploitation chains, this access is used to:
- Enumerate user and device details (PII exfiltration).
- Modify device configurations (potentially disabling security controls).
- Achieve Remote Code Execution (RCE) on the underlying Linux server via server-side request forgery (SSRF) or configuration manipulation in some deployment scenarios.
- Exploitation Status: Confirmed Active Exploitation. This vulnerability is listed in the CISA KEV catalog. Proof-of-concept (PoC) exploit code is public.
Detection & Response
The primary ingress vector for this attack is the web management interface (TCP ports 8443, 443). Detection requires a two-pronged approach: identifying successful exploitation (RCE) on the host and identifying the malicious API calls at the network perimeter.
Sigma Rules
---
title: Ivanti EPMM Java Process Spawning Shell - Potential RCE
id: 9a3b1c82-8e4b-4d67-bc12-3e5a8f90d44e
status: experimental
description: Detects the Ivanti EPMM (MobileIron) Java/Tomcat process spawning a shell. This is a high-fidelity indicator of successful remote code execution following CVE-2023-35078 exploitation.
references:
- https://www.ivanti.com/blog/cve-2023-35078
author: Security Arsenal
date: 2023/08/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/java'
ParentCommandLine|contains:
- 'mobileiron'
- 'ivanti'
selection_child:
Image|endswith:
- '/bash'
- '/sh'
- '/bin/sh'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administrative troubleshooting by system admins (rare)
level: critical
---
title: Suspicious Access to Ivanti EPMM /mics/ API Endpoint
id: b4c2e910-1d3f-4a5b-9c8e-7f6a5b4c3d2e
status: experimental
description: Detects unauthenticated or suspicious access to the /mics/ services endpoint, indicative of CVE-2023-35078 auth bypass attempts. Note: Requires Network or Proxy logs.
references:
- https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2023/08/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: nginx
detection:
selection_uri:
cs-uri-query|contains: '/mics/services/'
selection_method:
cs-method: 'POST'
filter_auth:
cs-cookie|contains: 'MISSION' # Legitimate sessions often use specific cookie names; adjust based on local config
condition: selection_uri and selection_method and not filter_auth
falsepositives:
- Legacy integrations using hard-coded credentials (if cookie check is too strict)
level: high
KQL (Microsoft Sentinel / Defender)
This query assumes you are ingesting CEF or Syslog logs from your perimeter firewalls or the Ivanti server itself.
// Hunt for CVE-2023-35078: Auth bypass on /mics/ endpoints
CommonSecurityLog
| where DeviceVendor in ("Ivanti", "MobileIron") or DeviceProduct contains "EPMM"
| where RequestURL contains "/mics/services/"
| extend Reason = coalesce(Reason, "")
| where Reason !contains "authenticated" // Filter if your logs tag authenticated requests
| where RequestURL contains "MICS" // Specific vulnerable component
| project TimeGenerated, DeviceAddress, SourceIP, DestinationIP, RequestURL, RequestMethod, Activity, DeviceAction
| order by TimeGenerated desc
Velociraptor VQL
Use this artifact on the EPMM Linux server to hunt for evidence of the webserver (Java/Tomcat) spawning unauthorized shells or accessing sensitive configuration files.
-- Hunt for Ivanti EPMM Exploitation Indicators
SELECT Pid, Name, Exe, CommandLine, Username, Ctime
FROM pslist()
WHERE Name = 'java'
AND (
CommandLine =~ 'mobileiron'
OR CommandLine =~ 'ivanti'
OR CommandLine =~ 'mics'
)
-- Look for recent shell executions that might be children of the web service
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name IN ('bash', 'sh', 'dash', 'zsh')
AND Ppid IN (
SELECT Pid
FROM pslist()
WHERE Name = 'java' AND (CommandLine =~ 'mobileiron' OR CommandLine =~ 'ivanti')
)
Remediation Script (Bash)
#!/bin/bash
# Emergency Remediation Script for CVE-2023-35078 (Ivanti EPMM)
# Run this as root on the EPMM appliance to verify version and restrict access.
echo "[*] Checking Ivanti EPMM Version..."
# Check version (Adapt path if necessary for specific install location)
if [ -f "/usr/local/MobileIron/version.txt" ]; then
cat /usr/local/MobileIron/version.txt
else
echo "[!] Version file not found at /usr/local/MobileIron/version.txt"
fi
echo "[*] Checking for vulnerable configuration in web.xml..."
# Note: This is a heuristic check. Consult the official advisory for exact patch numbers.
grep -r "mics" /usr/local/MobileIron/core/installed/ 2>/dev/null | head -n 5
echo "[*] Emergency Mitigation: Blocking external access to /mics/ via iptables (unless patched)"
# WARNING: Verify this rule does not break legitimate MDM traffic before applying in production.
# This assumes the management interface is on eth0. Adjust interface as needed.
# iptables -I INPUT -p tcp --dport 443 -m string --string "/mics/" --algo bm -j DROP
# iptables -I INPUT -p tcp --dport 8443 -m string --string "/mics/" --algo bm -j DROP
echo "[+] ACTION REQUIRED: Update to Ivanti EPMM versions:"
echo " - 11.4.x (Build 1120+)
- 11.9.x (Build 1120+)
- 12.0.x (Build 1120+)
- 12.1.x (Build 1108+)
- 12.2.x (Build 1112+)"
echo "Refer to: https://www.ivanti.com/blog/cve-2023-35078"
Remediation & Hardening
1. Immediate Patching (CISA Deadline: 4 Days) Federal agencies have 4 days; private sector entities should treat this with equal urgency. You must upgrade to one of the following fixed versions:
- 11.4: Update to build 1120 or later.
- 11.9: Update to build 1120 or later.
- 12.0: Update to build 1120 or later.
- 12.1: Update to build 1108 or later.
- 12.2: Update to build 1112 or later.
2. Network Segmentation (Workaround) If immediate patching is impossible, mitigate the risk by restricting access to the EPMM management interface.
- Block inbound internet access to the EPMM management ports (TCP 8443, 443, 8080) from untrusted networks.
- Ensure the
/mics/API endpoints are not accessible to the public internet.
3. Threat Hunting Assume compromise if the system was unpatched during the window of disclosure. Hunt for:
- Unexpected user accounts added to the mobile device database.
- Configuration profiles pushed to devices that were not authorized by IT.
- Web server logs containing successful 200 OK responses to
/mics/services/MICS...requests without corresponding session cookies.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.